How to Sign and Verify a Document or File using PGP/GPG

Note that you will need to have GnuPG (GPG) installed before starting the tutorial.

First, a bit of background as to how this works:

A digital signature certifies and timestamps a document. 

If the document is subsequently modified in any way, a verification of the signature will fail. A digital signature can serve the same purpose as a hand-written signature with the additional benefit of being tamper-resistant.

Creating and verifying signatures uses the public/private keypair in an operation different from encryption and decryption. A signature is created using the private key of the signer. The signature is verified using the corresponding public key.

Alright, now that we know what it is all about we can take a look at how you can sign your document. I’ll show you an example after I show you what to do first.

To sign a document with PGP, run this in the command-line:

gpg --output document.sig --sign document.pdf

Where “document.pdf” is the path to the document you want to sign and compress. It doesn’t need to be a .pdf; in fact, it can be any type of file you want. After you have entered your password for your private key, GPG will output the “document.sig” file into C:\Users\YourPCName (on Windows).

To verify a document that has been signed with PGP, run this in the command line:

gpg --output document.pdf --decrypt document.sig

This will output the decrypted “document.pdf” into C:\Users\YourPCName if you have the person who signed the document’s public key. In the command line you will see something like this:

gpg: Signature made 03/12/16 12:02:38 Coordinated Universal Time using DSA key ID ABD907D3 gpg: Good signature from “Person < [email protected] >”

Now, on to an example:

Bob wants to send Kate a sensitive document, and he wants to make sure that it isn’t tampered with along the way. The document is called “classifiedinfo.docx” and it is located at D:\Users\Bob. He types this into the command line:

gpg --output classifiedinfo.sig --sign D:\Users\Bob\classifiedinfo.docx

Note that you can choose any name you like for the .sig file.

Now he types in his private key’s password, retrieves the signed file from D:\Users\Bob and sends it to Kate. He also tells her that it is a .docx file. Kate has already imported Bob’s public key into GPG.

Kate verifies and decompresses Bob’s file by running this in the command line:

gpg --output classifiedinfo.docx --decrypt C:\Users\Kate\Downloads\classifiedinfo.sig

She gets this message in the command line:

gpg: Signature made 02/12/2016 15:39:05 Central African Time using DSA key ID A657BC83 gpg: Good signature from “Bob < [email protected] >”

Good. The document is untampered and genuine. She opens it.

In my next tutorial I will show you how to clearsign a document.


Nice tutorial man! GPG is great, and we should really use it more for things.

One question though. Shouldn’t we be using the --recipient flag? Or else anybody could read it right?


–recipient flag is used when sending a file to someone like gpg -e -u “VoidAccess (Test)” -r “pry0cc” filename.txt . Here we are verifying the signature of a file to test whether it has been modified in any way

So it isn’t encrypting the file? Just signing it?

Nice stylesheet. However, would it not have made more sense to prior explained what is PGPkeyring and its trust reputation system, which are enascapable knowledge when using PGP ?

Did you think about it ? Those articles are on my todo list so, if you want some help.


1 Like